On Fri, Dec 28, 2001 at 08:33:03AM -0500, Dave Reed wrote: > The Linux box is no less secure if you it all properly configured and > keep up with security updates. The Linksys routers are just simpler > since by default they don't (as far as I know) listen for incoming > connections.
Actually, I can argue the Linux box is more secure if you've done all correctly, since we simply don't KNOW what's going on inside the LinkSys. There has been one firmware exploit of which I'm aware. > As I've said before, it's really a matter of whether you want a simple > solution (Linksys router) or want to spend sometime learning about > Linux networking. There are also some other advantages to the Linux solution. It's much more flexible (and more complicated), and provides better logging of events. The down side, as noted, is that once you've got it running as the gateway for the network, you're awfully reluctant to pull it down or upgrade-- anything that might break it. The LinkSys, provided it's doing everything it's supposed to, is a very good solution. And it's affordability actually allows you to establish a real, traditional recommended firewally configuration, with a true bastion firewall (the LinkSys) going to the curtain, or interior, firewall (the Linux box) that's a different kind of firewall. Send the logs from the bastion to the interior and audit them--although I don't know if the LinkSys can tell you it's under attack. If it can, then this fulfills the traditional function of a bastion firewall. (Sacrificial, but scream for help while being killed). Moreover, this gives you a real, honest-to-Ghu DMZ. Incidentally, Beware these silly imitation "DMZ ports" a lot of firewall vendors, including LinkSys, are touting. They're NOT. A real DMZ is nestled between two separate firewalls--this still gives you a single point of failure/attack, the single firewall itself. All this pseudo-DMZ does is make the rules setup for an open port simpler. Use it, if you wish, but don't believe you're getting the protection of a DMZ. Cheers, -- Dave Ihnat [EMAIL PROTECTED] _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list